We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Reliance on Cookies without Validation and Integrity Checking in phpservermon/phpservermon

Valid

Reported on

Jun 24th 2021

✍️ Description

The program creates a cookie without setting the secure flag to true. Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.

In the example below, the code adds a cookie to the response without setting the secure flag:

setcookie('rememberme', $cookie_string, time() + PSM_LOGIN_COOKIE_RUNTIME, "/", PSM_LOGIN_COOKIE_DOMAIN);

🕵️‍♂️ Proof of Concept

The process involved in setting cookie are:-

1. The server asks the browser to set a cookie.
2. It gives a name, value and other parameters.
3. Browser stores the data in disk or memory.

Now as an attacker:

1. Attacker send the user any malicious link such as http://malicious-site.domain.com/
2. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. 
3. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. 
4. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://malicious-site.domain.com:443/ to perform the same attack.

💥 Impact

Using this vulnerability, an attacker can:-

  1. redirect the user to a malicious site to steal session cookie.
  2. show user false data which will, in turn, affect the credibility of the website.

🕵️‍♂️ Patch

Set the secure flag on all new cookies in order to instruct browsers not to send these cookies in the clear. This can be accomplished by passing true as the sixth argument to setcookie().

The code below corrects the mistake in code by setting the secure flag to true.

setcookie('rememberme', $cookie_string, time() + PSM_LOGIN_COOKIE_RUNTIME, "/", PSM_LOGIN_COOKIE_DOMAIN, TRUE);

Occurrences

References

We have contacted a member of the phpservermon team and are waiting to hear back 2 years ago
Tim Zandbergen validated this vulnerability 2 years ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Akshay Jain submitted a
patch
2 years ago
Tim Zandbergen
2 years ago

Thanks Akshay, will merge and confirm asap.

Akshay Jain
2 years ago

Researcher

Hi @Tim, any updates?

Tim Zandbergen marked this as fixed with commit 76d0c2 2 years ago
Akshay Jain has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation